[00:00.000 --> 00:02.680]  How we hack their C2s.
[00:03.760 --> 00:07.720]  Our presentation will have three parts.
[00:08.120 --> 00:14.240]  First, we will introduce ourselves, our work and basic knowledge about Android.
[00:14.240 --> 00:19.680]  Second, we will introduce Android malware scenes and analysis of some families.
[00:20.100 --> 00:24.300]  Third, we will look at how we exploit C2s.
[00:25.800 --> 00:28.980]  I am Kursat and my co-speaker is Mert.
[00:28.980 --> 00:32.680]  We both security engineers at Trendule and Blackbox Security.
[00:34.500 --> 00:38.580]  We are finding Android malware samples and analyze them.
[00:38.580 --> 00:42.100]  We find IOCs and hack them to purge stolen data.
[00:45.040 --> 00:47.780]  Now let's look at Google Play Store.
[00:47.780 --> 00:52.780]  To fight Android malware, Google introduced Bonsur as an anti-malware tool.
[00:52.780 --> 00:57.100]  But it has distinct feature and you can easily detect it.
[00:57.860 --> 01:03.400]  When you upload your APK file, it uploads it to an emulator.
[01:03.400 --> 01:07.180]  This emulator has only one contact to photos.
[01:07.180 --> 01:12.740]  You can also detect Bonsur IP range while it's running your APK with you.
[01:12.740 --> 01:16.740]  You can also use it to evade Bonsur.
[01:19.380 --> 01:24.560]  Because you can detect its feature, you can use different techniques to bypass it.
[01:24.560 --> 01:30.760]  Implementing anti-analyze and anti-emulator techniques is just some examples of it.
[01:30.780 --> 01:36.840]  You can also download your malicious text file separately and load into your APK.
[01:36.840 --> 01:41.320]  With this, Bonsur can't even see your malicious code.
[01:44.290 --> 01:47.710]  Android was by design not that secure back then.
[01:47.710 --> 01:51.670]  But nowadays, they are implementing new features to harden it.
[01:51.670 --> 01:57.910]  With Android P, battery encryption, process isolation, and authentication is implemented.
[01:57.910 --> 01:59.310]  Not just that.
[01:59.310 --> 02:06.010]  But Google Play Store changed its rules to prevent SMS and call log permission to be used in apps.
[02:07.790 --> 02:11.630]  With Android Q, even more hardening is introduced.
[02:12.010 --> 02:17.730]  Android Q removed clipboard monitoring, background activity, and limited screen recording.
[02:17.730 --> 02:22.970]  It also restricts Bubble's API, which is commonly used for phishing by its adapters.
[02:22.970 --> 02:29.310]  Also, Google introduced AppDefense Alliance to combat malware in Google Play Store.
[02:29.310 --> 02:33.550]  Alliance itself includes companies which specialize in mobile malware.
[02:37.210 --> 02:39.890]  Let's look at Android malware scene.
[02:39.890 --> 02:43.010]  There are five types of malware common in Android.
[02:43.010 --> 02:44.690]  First is AdWare.
[02:44.690 --> 02:48.190]  It shows your open advertisement in a hidden manner.
[02:48.190 --> 02:49.750]  Second is Spyware.
[02:49.750 --> 02:55.010]  Spyware commonly steals personal information in order to sell it.
[02:55.210 --> 02:56.810]  Third is Trojan.
[02:56.810 --> 03:00.730]  They are commonly used to steal banking information.
[03:00.730 --> 03:02.450]  Fourth is Ransomware.
[03:02.450 --> 03:07.390]  They are commonly used as a feature in bank bots nowadays.
[03:07.390 --> 03:12.630]  When you try to remove malware, it activates Ransomware feature.
[03:12.690 --> 03:15.090]  And lastly, Crypto Miners.
[03:15.090 --> 03:23.730]  They were common back then, but nowadays, due to some restrictions, like background activities,
[03:23.730 --> 03:28.370]  are no longer a thing in Android's operating system.
[03:28.370 --> 03:30.810]  They are decreasing.
[03:31.430 --> 03:36.830]  Threat actors usually tip companies through social media advertisements to separate malware.
[03:39.910 --> 03:43.090]  There is also malware as a service malware.
[03:43.090 --> 03:47.130]  At first, there was GMBot, which espies Marcher.
[03:47.130 --> 03:53.210]  After Marcher, Exabot emerges and it evolves into a Red Alert.
[03:53.210 --> 03:57.970]  Red Alert has distinct features which also carry on to anomalies.
[03:57.970 --> 04:03.630]  Nowadays, serverless malware is active and popular as a service scene.
[04:03.630 --> 04:07.290]  They evolve in time as threat actors change.
[04:07.290 --> 04:10.970]  They all use anti-techniques and droppers.
[04:13.970 --> 04:19.710]  Exabot uses dropper to distribute itself in Google Play Store.
[04:21.090 --> 04:26.910]  It also uses root detection and anti-monitor with checking device ID,
[04:26.910 --> 04:29.730]  country, and operator in device.
[04:29.730 --> 04:37.670]  It also tries to run shell command to find sub-binary which is present when the device is rooted.
[04:40.720 --> 04:44.060]  You can see what Exabot looks for in settings.
[04:46.200 --> 04:50.600]  You can bypass anti-monitor with filter like this.
[04:51.240 --> 04:54.920]  And root detection like this.
[04:55.560 --> 04:57.980]  Red Alert uses Twitter for C2.
[04:57.980 --> 05:00.640]  The last tweet contains IP of C2.
[05:00.640 --> 05:08.320]  It fakes last tweet to find out current C2 and upload the data it stolen there.
[05:11.660 --> 05:15.860]  It asks for device admin permission to take over poll.
[05:18.940 --> 05:23.360]  It also checks Linux apps to look for specific apps.
[05:25.700 --> 05:27.980]  Anubis is a good bankbot example.
[05:27.980 --> 05:30.060]  It operates as a service.
[05:30.060 --> 05:35.980]  It has multiple versions which legend has multiple different developers.
[05:37.620 --> 05:43.220]  It uses fake apps and phishing campaigns to distribute samples.
[05:43.300 --> 05:46.840]  These are all Turkish bank or popular applications.
[05:50.040 --> 05:52.720]  It also uses dropper.
[05:54.260 --> 05:57.880]  And uses obfuscation in dropper sample.
[06:00.400 --> 06:03.360]  Dropper Anubis samples is encrypted.
[06:05.540 --> 06:11.480]  Once you decrypt it, you can see it uses call forwarding for bank numbers.
[06:14.490 --> 06:17.970]  And it uses overlay attack to steal banking credentials.
[06:18.710 --> 06:22.270]  If you try remove it, ransomware feature activates.
[06:25.750 --> 06:31.250]  Anubis decrypts inside memory and writes decrypted code to a jar file.
[06:31.250 --> 06:36.670]  After that, it loads jar file into inside which contains malicious function.
[06:37.010 --> 06:43.390]  This FIRA script changes delete function so that you can fetch decrypted file from device.
[06:43.390 --> 06:46.670]  You can fetch decrypted code like this.
[06:48.870 --> 06:51.960]  And like this if native code is used.
[06:54.120 --> 06:56.300]  Hydra Hydra is another service.
[06:56.300 --> 06:59.740]  It imitates government apps to distribute itself.
[07:01.750 --> 07:07.190]  Once you create Hydra sample in panel, it has time limit to activate.
[07:07.190 --> 07:09.470]  Like some step to finish time.
[07:09.470 --> 07:14.530]  It uses overlay attack to steal banking and other personal information.
[07:17.280 --> 07:20.540]  You can bypass time limitation like this.
[07:21.560 --> 07:27.200]  And like this if native code is used.
[07:27.960 --> 07:33.100]  Cerberus is most updated and dangerous one among them.
[07:33.100 --> 07:38.700]  They are highly active on Twitter and regularly updates Cerberus malware.
[07:38.700 --> 07:44.080]  Which commonly bypass sponsor and can be found in Google Play Store.
[07:45.060 --> 07:48.220]  It uses sensor data to detect emulator.
[07:48.220 --> 07:52.180]  You can imitate sensor movement and bypass this check.
[07:55.140 --> 08:00.820]  C2s are mainly used to distribute samples and manage both.
[08:00.820 --> 08:03.140]  And they contain stolen information.
[08:05.380 --> 08:12.120]  You can use this script to automate C2 extraction for some samples.
[08:12.120 --> 08:18.580]  Not every sample has automated C2 extraction decryptor or unpacker.
[08:18.580 --> 08:27.340]  But you can find some useful ones in the GitHub page that helps you to analyze samples faster.
[08:27.340 --> 08:31.640]  Now let's look at some vulnerabilities we found C2s.
[08:31.640 --> 08:36.200]  Note that most of the C2s are a part of SSRS.
[08:36.480 --> 08:40.060]  So if you find vulnerability in one panel,
[08:40.060 --> 08:44.680]  it's highly present on the other panels using the same malware.
[08:46.220 --> 08:50.300]  Red Alert panels has direct-to-realistic vulnerability.
[08:50.300 --> 08:54.220]  You can fetch infected device information from panels.
[08:56.040 --> 09:01.260]  You can find all infected phone data and stolen information.
[09:03.950 --> 09:07.330]  And also find encryption keys.
[09:09.320 --> 09:11.800]  Let's look at another panel.
[09:11.800 --> 09:16.200]  One of custom malware panel had password in page source.
[09:19.200 --> 09:21.960]  Using this, you could log into panel.
[09:25.340 --> 09:29.420]  It has many effective hosts and functions to control.
[09:29.640 --> 09:32.520]  It also had file upload feature.
[09:34.910 --> 09:38.170]  Exploiting file upload, we got shell.
[09:38.170 --> 09:42.210]  We purge all data and shut down its operation.
[09:45.370 --> 09:48.590]  Some other custom panel had SQL injection.
[09:50.590 --> 09:55.470]  We log in as admin with it and take over the panel.
[09:58.230 --> 10:02.250]  All Twitter phishing campaigns and malware distribution campaigns
[10:02.250 --> 10:04.870]  had stored XSS vulnerability.
[10:08.180 --> 10:10.740]  With this, you can sniff admin token to log in
[10:10.740 --> 10:14.460]  and see all stolen information.
[10:17.770 --> 10:20.850]  And all stolen credit card data.
[10:24.860 --> 10:27.060]  And social security numbers.
[10:27.060 --> 10:29.760]  We set up a cron job to delete them daily.
[10:32.940 --> 10:35.680]  Main takeaways for our presentation are
[10:35.680 --> 10:38.660]  we identified malware as a service users
[10:38.660 --> 10:42.220]  and hacked their sites to purge stolen data.
[10:42.220 --> 10:45.700]  We also shared our findings with task force
[10:45.700 --> 10:49.180]  and had 13 threat actors got arrested.
[10:49.540 --> 10:54.120]  If you have any questions, we will be on Discord to answer them.
[10:54.120 --> 10:58.820]  Don't forget to check your downloaded apps from Google Play Store.
[10:59.000 --> 11:00.920]  Never trust any application.
[11:01.800 --> 11:03.960]  Thank you all for listening.
[11:04.900 --> 11:07.480]  It was a pleasure to be here today.
[11:07.980 --> 11:10.420]  Welcome to our presentation.
[11:10.500 --> 11:15.260]  We will talk about Android malware and how we hacked their C2S.
[11:16.820 --> 11:20.680]  Our presentation will have three parts.
[11:21.020 --> 11:27.220]  First, we will introduce ourselves, our work and basic knowledge about Android.
[11:27.220 --> 11:33.040]  Second, we will introduce Android malware scenes and analysis of some families.
[11:33.060 --> 11:37.240]  Third, we will look at how we exploit C2S.
[11:38.740 --> 11:41.920]  I am Kursat and my co-speaker is Mert.
[11:41.920 --> 11:45.670]  We both security engineers at Trendule and Blackbox Security.
[11:47.460 --> 11:51.580]  We are finding Android malware samples and analyze them.
[11:51.580 --> 11:55.030]  We find IOCs and hack them to purge stolen data.
[11:57.610 --> 12:00.790]  Now, let's look at Google Play Store.
[12:00.790 --> 12:05.710]  To fight Android malware, Google introduced Bonsur as an anti-malware tool.
[12:05.710 --> 12:10.190]  But it has distinct feature and you can easily detect it.
[12:10.870 --> 12:16.290]  When you upload your APK file, it uploads it to an emulator.
[12:16.290 --> 12:20.150]  This emulator has only one contact to photos.
[12:20.150 --> 12:24.950]  You can also detect Bonsur IP range while it's running your APK
[12:24.950 --> 12:29.690]  can also use it to evade Bonsur.
[12:32.380 --> 12:37.560]  Because you can detect its feature, you can use different techniques to bypass it.
[12:37.700 --> 12:43.740]  Implementing anti-analysis and anti-emulator techniques is just some examples of it.
[12:43.800 --> 12:49.880]  You can also download your malicious text file separately and load into your APK.
[12:49.880 --> 12:54.300]  With this, Bonsur can't even see your malicious code.
[12:56.830 --> 13:00.910]  Android was by design not that secure back then.
[13:00.910 --> 13:04.710]  But nowadays, they are implementing new features to harden it.
[13:04.710 --> 13:10.650]  With Android P, battery encryption, process isolation, and authentication is implemented.
[13:10.910 --> 13:14.270]  Not just that, but Google Play Store changed its rules
[13:14.270 --> 13:19.030]  to prevent SMS and call log permission to be used in apps.
[13:20.750 --> 13:24.950]  With Android Q, even more hardening is introduced.
[13:24.950 --> 13:30.730]  Android Q removed clipboard monitoring, background activity, and limited screen recording.
[13:30.730 --> 13:35.950]  It's also Restrict Bubbles API which is commonly used for phishing by its editors.
[13:35.950 --> 13:42.310]  Also, Google introduced AppDefense Alliance to combat malware in Google Play Store.
[13:42.310 --> 13:46.890]  Alliance itself includes companies which specialize in mobile malware.
[13:50.600 --> 13:52.900]  Let's look at Android malware scene.
[13:52.900 --> 13:55.780]  There are five types of malware common in Android.
[13:55.780 --> 14:01.300]  First is Adware. It shows your open advertisement in a hidden manner.
[14:01.300 --> 14:07.880]  Second is Spyware. Spyware commonly steals personal information in order to sell it.
[14:08.120 --> 14:13.680]  Third is Trojan. They are commonly used to steal banking information.
[14:13.680 --> 14:20.360]  Fourth is Ransomware. They are commonly used as a feature in bank bots nowadays.
[14:20.360 --> 14:25.520]  When you try to remove malware, it activates ransomware feature.
[14:25.520 --> 14:33.620]  And lastly, Cryptominers. They were common back then but nowadays due to some restrictions
[14:33.620 --> 14:41.420]  like background activities are no longer a thing in Android operation system.
[14:41.420 --> 14:43.860]  They are decreasing.
[14:44.420 --> 14:49.880]  Threats occur usually to companies through social media advertisements to separate malware.
[14:53.260 --> 14:56.140]  There is also malware as a service malware.
[14:56.140 --> 15:00.120]  At first, there was GMBot which inspires Marcher.
[15:00.120 --> 15:06.240]  After Marcher, Exabot emerges and it evolves into a Red Alert.
[15:06.240 --> 15:10.960]  Red Alert has distinct feature which also carried on to Anubis.
[15:10.960 --> 15:16.640]  Nowadays, serverless malware is active and popular in as-a-service scene.
[15:16.640 --> 15:20.260]  They evolve in time as the threat actors change.
[15:20.260 --> 15:23.940]  They all use anti-techniques and droppers.
[15:26.760 --> 15:32.420]  Exabot uses dropper to distribute itself in Google Play Store.
[15:34.500 --> 15:42.720]  It also uses root detection and anti-monitor with checking device ID, country and operator in device.
[15:42.720 --> 15:50.680]  It also tries to run shell command to find sub-binary which is present when the device is rooted.
[15:53.680 --> 15:57.020]  You can see what Exabot looks for in strings.
[15:59.200 --> 16:03.720]  You can bypass anti-monitor with filter like this.
[16:04.240 --> 16:07.980]  And root detection like this.
[16:08.560 --> 16:10.960]  Red Alert uses Twitter for C2.
[16:10.960 --> 16:13.620]  The last tweet contains IP of C2.
[16:13.620 --> 16:21.320]  It fakes last tweet to find out current C2 and upload the data it stolen there.
[16:24.660 --> 16:28.660]  It asks for device admin permission to take over poll.
[16:31.760 --> 16:36.360]  It also checks Linux apps to look for specific apps.
[16:38.680 --> 16:41.000]  Anubis is a good bankbot example.
[16:41.000 --> 16:43.060]  It operates as-a-service.
[16:43.060 --> 16:48.980]  It has multiple versions which legend has multiple different developers.
[16:50.620 --> 16:55.820]  It uses fake apps and phishing campaigns to distribute samples.
[16:56.320 --> 16:59.980]  These are all Turkish bank or popular applications.
[17:02.850 --> 17:05.710]  It also uses dropper.
[17:07.030 --> 17:10.910]  And uses obfuscation in dropper sample.
[17:13.400 --> 17:16.370]  Dropper Anubis samples is encrypted.
[17:18.520 --> 17:24.520]  Once you decrypt it, you can see it uses call forwarding for bank numbers.
[17:27.450 --> 17:31.000]  And it uses overlay attack to still banking credentials.
[17:31.690 --> 17:35.450]  If you try remove it, ransomware feature activates.
[17:38.670 --> 17:44.250]  Anubis decrypts insert memory and writes decrypted code to a jar file.
[17:44.250 --> 17:49.710]  After that, it loads jar file into insert which contains myUse function.
[17:50.010 --> 17:56.370]  This filter script changes delete function so that you can fetch decrypted file from device.
[17:56.370 --> 17:59.710]  You can fetch decrypted code like this.
[18:01.770 --> 18:04.980]  And like this if native code is used.
[18:07.080 --> 18:09.300]  Hydra Hydra is another service.
[18:09.300 --> 18:12.800]  It imitates government apps to distribute itself.
[18:14.590 --> 18:20.210]  Once you create Hydra sample in panel, it has time limit to activate.
[18:20.210 --> 18:22.470]  Like some start to finish time.
[18:22.470 --> 18:27.930]  It uses overlay attack to still banking and other personal information.
[18:30.030 --> 18:33.570]  You can bypass time limitation like this.
[18:34.590 --> 18:40.150]  And like this if native code is used.
[18:40.930 --> 18:46.090]  Cerberus is most updated and dangerous one among them.
[18:46.090 --> 18:51.690]  They are highly active on Twitter and regularly updates Cerberus malware.
[18:51.690 --> 18:57.090]  Which commonly bypass sponsor and can be found in Google Play Store.
[18:57.890 --> 19:01.210]  It uses sensor data to detect emulator.
[19:01.210 --> 19:05.210]  You can imitate sensor movement and bypass this check.
[19:08.120 --> 19:13.820]  C2s are mainly used to distribute samples and manage both.
[19:13.820 --> 19:16.140]  And they contain stolen information.
[19:18.360 --> 19:25.140]  You can use this script to automate C2 extraction for some samples.
[19:25.140 --> 19:31.540]  Not every samples has automate C2 extraction decryptor or unpacker.
[19:31.540 --> 19:36.460]  But you can find some useful ones in the GitHub page.
[19:36.460 --> 19:40.440]  They helps you to analyze samples faster.
[19:40.440 --> 19:44.640]  Now let's look at some vulnerabilities we found C2s.
[19:44.640 --> 19:49.500]  Note that most of the C2s are a part of SSRs.
[19:49.500 --> 19:53.100]  So if you find vulnerability in one panel,
[19:53.100 --> 19:57.680]  it's highly present on the other panels using the same malware.
[19:59.220 --> 20:03.300]  Red Alert panels has direct-releasing vulnerability.
[20:03.300 --> 20:07.240]  You can fetch infected device information from panels.
[20:09.410 --> 20:14.690]  You can find all infected phone data and stolen information.
[20:16.880 --> 20:20.340]  And also find encryption keys.
[20:22.560 --> 20:24.780]  Let's look at another panel.
[20:24.780 --> 20:29.180]  One of custom malware panel had password in page source.
[20:32.180 --> 20:34.960]  Using this, you could login to panel.
[20:38.380 --> 20:42.400]  It has many effective host and functions to control.
[20:42.640 --> 20:45.520]  It also had file upload feature.
[20:47.890 --> 20:51.170]  Exploiting file upload, we got shell.
[20:51.170 --> 20:55.190]  We purge all data and shut down its operation.
[20:58.370 --> 21:01.590]  Some other custom panel had SQL injection.
[21:03.590 --> 21:08.470]  We log in as admin with it and take over the panel.
[21:10.970 --> 21:15.230]  All Twitter phishing campaigns and malware distribution campaigns
[21:15.230 --> 21:17.870]  had Statoroot XSS vulnerability.
[21:21.160 --> 21:23.640]  With this, you can sniff admin token to login
[21:23.640 --> 21:27.460]  and see all stolen information.
[21:30.850 --> 21:33.850]  And all stolen credit card data.
[21:37.660 --> 21:40.080]  And social security numbers.
[21:40.080 --> 21:43.120]  We set up a cron job to delete them daily.
[21:45.960 --> 21:48.700]  Main takeaways for our presentation are
[21:48.700 --> 21:51.660]  we identified malware as a service users
[21:51.660 --> 21:55.200]  and hacked their sites to purge stolen data.
[21:55.200 --> 21:58.700]  We also shared our findings with task force
[21:58.700 --> 22:02.180]  and had 13 threat actors got arrested.
[22:02.520 --> 22:06.760]  If you have any questions, we will be on Discord to answer them.
[22:07.040 --> 22:11.800]  Don't forget to check your downloaded apps from Google Play Store.
[22:11.800 --> 22:13.960]  Never trust any application.
[22:14.820 --> 22:16.940]  Thank you all for listening.
